On 25/09/18 7:48 AM, Marcio Vogel Merlone dos Santos wrote: > Hi, > > Searched google but could not find anyone trying this. I want to use > some LDAP data to create an ACL not related to authentication or > users/groups. I want to create an ACL like this pseudo conf: > >> external_acl_type myServers ttl=300 ipv4 %SRC >> /usr/lib/squid/ldap_lookup_acl -p >> >> http_access allow myServers >> > Where 'myServers' contains a list of machines that don't need to auth > the service, for example. Other uses would be to define a network list, > mac lists, people with youtube access, and so on. Is it possible, has > someone already made it, can anyone point me the direction? Look at the example configuration for the eDirectory user-IP helper it uses src-IP as "username" being looked up. <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html> Wrapping is currently broken in that doc, I've fixed that below for clarity: external_acl_type IPUser %SRC /usr/sbin/ext_edirectory_userip_acl acl edirectory_users_allowed external IPUser \ cn=Internet_Allowed,ou=ORG,o=BASE acl edirectory_users_denied external IPUser \ cn=Internet_Denied,ou=ORG,o=BASE http_access deny edirectory_users_denied http_access allow edirectory_users_allowed http_access deny all The above config passes the LDAP path details as %DATA, so the helper gets told to always use the src-IP as the "username" and each acl line tells it which LDAP path/directory to check for that particular ACL test. Allowing multiple tables for different whitelist or blacklist checks by the same helper. You may be able to use the above helper as-is, or use the existing AD LDAP group helpers with %SRC in a similar way. Though the older AD helpers probably need to use %g macro in the -f filter to specify where the %DATA portion is to go. Disclaimer: I have not tried this myself, so YMMV. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
